security: Add v2::Validator implementation
Based on the code originally written by Qiuhan Ding
Change-Id: Ib66e24f49d0b6fb2ae21ea1fca7b9ec62ecb753a
Refs: #3289, #1872
diff --git a/src/security/v2/certificate-cache.cpp b/src/security/v2/certificate-cache.cpp
index b3b745d..b9d15aa 100644
--- a/src/security/v2/certificate-cache.cpp
+++ b/src/security/v2/certificate-cache.cpp
@@ -59,28 +59,28 @@
}
const Certificate*
-CertificateCache::find(const Name& keyName)
+CertificateCache::find(const Name& certPrefix) const
{
- refresh();
- if (keyName.size() > 0 && keyName[-1].isImplicitSha256Digest()) {
+ const_cast<CertificateCache*>(this)->refresh();
+ if (certPrefix.size() > 0 && certPrefix[-1].isImplicitSha256Digest()) {
NDN_LOG_INFO("Certificate search using name with the implicit digest is not yet supported");
}
- auto itr = m_certsByName.lower_bound(keyName);
- if (itr == m_certsByName.end() || !keyName.isPrefixOf(itr->getCertName()))
+ auto itr = m_certsByName.lower_bound(certPrefix);
+ if (itr == m_certsByName.end() || !certPrefix.isPrefixOf(itr->getCertName()))
return nullptr;
return &itr->cert;
}
const Certificate*
-CertificateCache::find(const Interest& interest)
+CertificateCache::find(const Interest& interest) const
{
if (interest.getChildSelector() >= 0) {
- NDN_LOG_DEBUG("Certificate search using ChildSelector is not supported, search as if selector not specified");
+ NDN_LOG_DEBUG("Certificate search using ChildSelector is not supported, searching as if selector not specified");
}
if (interest.getName().size() > 0 && interest.getName()[-1].isImplicitSha256Digest()) {
- NDN_LOG_INFO("Certificate search using name with the implicit digest is not yet supported");
+ NDN_LOG_INFO("Certificate search using name with implicit digest is not yet supported");
}
- refresh();
+ const_cast<CertificateCache*>(this)->refresh();
for (auto i = m_certsByName.lower_bound(interest.getName());
i != m_certsByName.end() && interest.getName().isPrefixOf(i->getCertName());
diff --git a/src/security/v2/certificate-cache.hpp b/src/security/v2/certificate-cache.hpp
index 4bf9f3c..f649776 100644
--- a/src/security/v2/certificate-cache.hpp
+++ b/src/security/v2/certificate-cache.hpp
@@ -64,13 +64,13 @@
/**
* @brief Get certificate given key name
- * @param keyName Key name for searching the certificate.
+ * @param certPrefix Certificate prefix for searching the certificate.
* @return The found certificate, nullptr if not found.
*
* @note The returned value may be invalidated after next call to one of find methods.
*/
const Certificate*
- find(const Name& keyName);
+ find(const Name& certPrefix) const;
/**
* @brief Find certificate given interest
@@ -82,7 +82,7 @@
* @note The returned value may be invalidated after next call to one of find methods.
*/
const Certificate*
- find(const Interest& interest);
+ find(const Interest& interest) const;
private:
class Entry
diff --git a/src/security/v2/certificate-request.hpp b/src/security/v2/certificate-request.hpp
new file mode 100644
index 0000000..863d7c3
--- /dev/null
+++ b/src/security/v2/certificate-request.hpp
@@ -0,0 +1,60 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
+/**
+ * Copyright (c) 2013-2017 Regents of the University of California.
+ *
+ * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
+ *
+ * ndn-cxx library is free software: you can redistribute it and/or modify it under the
+ * terms of the GNU Lesser General Public License as published by the Free Software
+ * Foundation, either version 3 of the License, or (at your option) any later version.
+ *
+ * ndn-cxx library is distributed in the hope that it will be useful, but WITHOUT ANY
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+ * PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
+ *
+ * You should have received copies of the GNU General Public License and GNU Lesser
+ * General Public License along with ndn-cxx, e.g., in COPYING.md file. If not, see
+ * <http://www.gnu.org/licenses/>.
+ *
+ * See AUTHORS.md for complete list of ndn-cxx authors and contributors.
+ */
+
+#ifndef NDN_SECURITY_V2_CERTIFICATE_REQUEST_HPP
+#define NDN_SECURITY_V2_CERTIFICATE_REQUEST_HPP
+
+#include "../../interest.hpp"
+
+namespace ndn {
+namespace security {
+namespace v2 {
+
+/**
+ * @brief Request for a certificate, associated with the number of attempts
+ */
+class CertificateRequest : noncopyable
+{
+public:
+ CertificateRequest()
+ : m_nRetriesLeft(0)
+ {
+ }
+
+ explicit
+ CertificateRequest(const Interest& interest, uint64_t requesterFaceId = 0)
+ : m_interest(interest)
+ , m_nRetriesLeft(3)
+ {
+ }
+
+public:
+ /// @brief the name for the requested data/certificate.
+ Interest m_interest;
+ /// @brief the number of remaining retries after time out or NACK
+ int m_nRetriesLeft;
+};
+
+} // namespace v2
+} // namespace security
+} // namespace ndn
+
+#endif // NDN_SECURITY_V2_CERTIFICATE_REQUEST_HPP
diff --git a/src/security/v2/key-chain.cpp b/src/security/v2/key-chain.cpp
index 850ad58..47cb75d 100644
--- a/src/security/v2/key-chain.cpp
+++ b/src/security/v2/key-chain.cpp
@@ -681,6 +681,8 @@
sigInfo.setSignatureType(getSignatureType(key.getKeyType(), params.getDigestAlgorithm()));
sigInfo.setKeyLocator(KeyLocator(key.getName()));
+
+ NDN_LOG_TRACE("Prepared signature info: " << sigInfo);
return std::make_tuple(key.getName(), sigInfo);
}
diff --git a/src/security/v2/key-chain.hpp b/src/security/v2/key-chain.hpp
index 0e8402e..7cb71f2 100644
--- a/src/security/v2/key-chain.hpp
+++ b/src/security/v2/key-chain.hpp
@@ -22,6 +22,7 @@
#ifndef NDN_SECURITY_V2_KEY_CHAIN_HPP
#define NDN_SECURITY_V2_KEY_CHAIN_HPP
+#include "../security-common.hpp"
#include "certificate.hpp"
#include "../key-params.hpp"
#include "../pib/pib.hpp"
diff --git a/src/security/v2/validation-callback.hpp b/src/security/v2/validation-callback.hpp
new file mode 100644
index 0000000..7ef4564
--- /dev/null
+++ b/src/security/v2/validation-callback.hpp
@@ -0,0 +1,58 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
+/**
+ * Copyright (c) 2013-2017 Regents of the University of California.
+ *
+ * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
+ *
+ * ndn-cxx library is free software: you can redistribute it and/or modify it under the
+ * terms of the GNU Lesser General Public License as published by the Free Software
+ * Foundation, either version 3 of the License, or (at your option) any later version.
+ *
+ * ndn-cxx library is distributed in the hope that it will be useful, but WITHOUT ANY
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+ * PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
+ *
+ * You should have received copies of the GNU General Public License and GNU Lesser
+ * General Public License along with ndn-cxx, e.g., in COPYING.md file. If not, see
+ * <http://www.gnu.org/licenses/>.
+ *
+ * See AUTHORS.md for complete list of ndn-cxx authors and contributors.
+ */
+
+#ifndef NDN_SECURITY_V2_VALIDATION_CALLBACK_HPP
+#define NDN_SECURITY_V2_VALIDATION_CALLBACK_HPP
+
+#include "../../interest.hpp"
+#include "../../data.hpp"
+#include "../security-common.hpp"
+#include "validation-error.hpp"
+
+namespace ndn {
+namespace security {
+namespace v2 {
+
+/**
+ * @brief Callback to report a successful Data validation.
+ */
+typedef function<void(const Data& data)> DataValidationSuccessCallback;
+
+/**
+ * @brief Callback to report a failed Data validation.
+ */
+typedef function<void(const Data& data, const ValidationError& error)> DataValidationFailureCallback;
+
+/**
+ * @brief Callback to report a successful Interest validation.
+ */
+typedef function<void(const Interest& interest)> InterestValidationSuccessCallback;
+
+/**
+ * @brief Callback to report a failed Interest validation.
+ */
+typedef function<void(const Interest& interest, const ValidationError& error)> InterestValidationFailureCallback;
+
+} // namespace v2
+} // namespace security
+} // namespace ndn
+
+#endif // NDN_SECURITY_V2_VALIDATION_CALLBACK_HPP
diff --git a/src/security/v2/validation-error.cpp b/src/security/v2/validation-error.cpp
new file mode 100644
index 0000000..5868a6d
--- /dev/null
+++ b/src/security/v2/validation-error.cpp
@@ -0,0 +1,79 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
+/**
+ * Copyright (c) 2013-2017 Regents of the University of California.
+ *
+ * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
+ *
+ * ndn-cxx library is free software: you can redistribute it and/or modify it under the
+ * terms of the GNU Lesser General Public License as published by the Free Software
+ * Foundation, either version 3 of the License, or (at your option) any later version.
+ *
+ * ndn-cxx library is distributed in the hope that it will be useful, but WITHOUT ANY
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+ * PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
+ *
+ * You should have received copies of the GNU General Public License and GNU Lesser
+ * General Public License along with ndn-cxx, e.g., in COPYING.md file. If not, see
+ * <http://www.gnu.org/licenses/>.
+ *
+ * See AUTHORS.md for complete list of ndn-cxx authors and contributors.
+ */
+
+#include "validation-error.hpp"
+
+#include <ostream>
+
+namespace ndn {
+namespace security {
+namespace v2 {
+
+std::ostream&
+operator<<(std::ostream& os, ValidationError::Code code)
+{
+ switch (code) {
+ case ValidationError::Code::NO_ERROR:
+ return os << "No error";
+ case ValidationError::Code::INVALID_SIGNATURE:
+ return os << "Invalid signature";
+ case ValidationError::Code::NO_SIGNATURE:
+ return os << "Missing signature";
+ case ValidationError::Code::CANNOT_RETRIEVE_CERT:
+ return os << "Cannot retrieve certificate";
+ case ValidationError::Code::EXPIRED_CERT:
+ return os << "Certificate expired";
+ case ValidationError::Code::LOOP_DETECTED:
+ return os << "Loop detected in certification chain";
+ case ValidationError::Code::MALFORMED_CERT:
+ return os << "Malformed certificate";
+ case ValidationError::Code::EXCEEDED_DEPTH_LIMIT:
+ return os << "Exceeded validation depth limit";
+ case ValidationError::Code::INVALID_KEY_LOCATOR:
+ return os << "Key locator violates validation policy";
+ case ValidationError::Code::POLICY_ERROR:
+ return os << "Validation policy error";
+ case ValidationError::Code::IMPLEMENTATION_ERROR:
+ return os << "Internal implementation error";
+ case ValidationError::Code::USER_MIN:
+ break;
+ }
+ if (code >= ValidationError::Code::USER_MIN) {
+ return os << "Custom error code " << static_cast<uint32_t>(code);
+ }
+ else {
+ return os << "Unrecognized error code " << static_cast<uint32_t>(code);
+ }
+}
+
+std::ostream&
+operator<<(std::ostream& os, const ValidationError& error)
+{
+ os << static_cast<ValidationError::Code>(error.getCode());
+ if (!error.getInfo().empty()) {
+ os << " (" << error.getInfo() << ")";
+ }
+ return os;
+}
+
+} // namespace v2
+} // namespace security
+} // namespace ndn
diff --git a/src/security/v2/validation-error.hpp b/src/security/v2/validation-error.hpp
new file mode 100644
index 0000000..e737e87
--- /dev/null
+++ b/src/security/v2/validation-error.hpp
@@ -0,0 +1,93 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
+/**
+ * Copyright (c) 2013-2017 Regents of the University of California.
+ *
+ * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
+ *
+ * ndn-cxx library is free software: you can redistribute it and/or modify it under the
+ * terms of the GNU Lesser General Public License as published by the Free Software
+ * Foundation, either version 3 of the License, or (at your option) any later version.
+ *
+ * ndn-cxx library is distributed in the hope that it will be useful, but WITHOUT ANY
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+ * PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
+ *
+ * You should have received copies of the GNU General Public License and GNU Lesser
+ * General Public License along with ndn-cxx, e.g., in COPYING.md file. If not, see
+ * <http://www.gnu.org/licenses/>.
+ *
+ * See AUTHORS.md for complete list of ndn-cxx authors and contributors.
+ */
+
+#ifndef NDN_SECURITY_V2_VALIDATION_ERROR_HPP
+#define NDN_SECURITY_V2_VALIDATION_ERROR_HPP
+
+#include "../../common.hpp"
+
+namespace ndn {
+namespace security {
+namespace v2 {
+
+/**
+ * @brief Validation error code and optional detailed error message
+ */
+class ValidationError
+{
+public:
+ /**
+ * @brief Known validation error code
+ * @sa specs/validation-error-code.rst
+ */
+ enum Code : uint32_t {
+ NO_ERROR = 0,
+ INVALID_SIGNATURE = 1,
+ NO_SIGNATURE = 2,
+ CANNOT_RETRIEVE_CERT = 3,
+ EXPIRED_CERT = 4,
+ LOOP_DETECTED = 5,
+ MALFORMED_CERT = 6,
+ EXCEEDED_DEPTH_LIMIT = 7,
+ INVALID_KEY_LOCATOR = 8,
+ POLICY_ERROR = 9,
+ IMPLEMENTATION_ERROR = 255,
+ USER_MIN = 256 // custom error codes should use >=256
+ };
+
+public:
+ /**
+ * @brief Validation error, implicitly convertible from an error code and info
+ */
+ ValidationError(uint32_t code, const std::string& info = "")
+ : m_code(code)
+ , m_info(info)
+ {
+ }
+
+ uint32_t
+ getCode() const
+ {
+ return m_code;
+ }
+
+ const std::string&
+ getInfo() const
+ {
+ return m_info;
+ }
+
+private:
+ uint32_t m_code;
+ std::string m_info;
+};
+
+std::ostream&
+operator<<(std::ostream& os, ValidationError::Code code);
+
+std::ostream&
+operator<<(std::ostream& os, const ValidationError& error);
+
+} // namespace v2
+} // namespace security
+} // namespace ndn
+
+#endif // NDN_SECURITY_V2_VALIDATION_ERROR_HPP
diff --git a/src/security/v2/validation-policy-accept-all.hpp b/src/security/v2/validation-policy-accept-all.hpp
new file mode 100644
index 0000000..0d955db
--- /dev/null
+++ b/src/security/v2/validation-policy-accept-all.hpp
@@ -0,0 +1,56 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
+/**
+ * Copyright (c) 2013-2017 Regents of the University of California.
+ *
+ * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
+ *
+ * ndn-cxx library is free software: you can redistribute it and/or modify it under the
+ * terms of the GNU Lesser General Public License as published by the Free Software
+ * Foundation, either version 3 of the License, or (at your option) any later version.
+ *
+ * ndn-cxx library is distributed in the hope that it will be useful, but WITHOUT ANY
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+ * PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
+ *
+ * You should have received copies of the GNU General Public License and GNU Lesser
+ * General Public License along with ndn-cxx, e.g., in COPYING.md file. If not, see
+ * <http://www.gnu.org/licenses/>.
+ *
+ * See AUTHORS.md for complete list of ndn-cxx authors and contributors.
+ */
+
+#ifndef NDN_SECURITY_V2_VALIDATION_POLICY_ACCEPT_ALL_HPP
+#define NDN_SECURITY_V2_VALIDATION_POLICY_ACCEPT_ALL_HPP
+
+#include "validation-policy.hpp"
+
+namespace ndn {
+namespace security {
+namespace v2 {
+
+/**
+ * @brief A validator policy that accepts any signature of data and interest packets
+ */
+class ValidationPolicyAcceptAll : public ValidationPolicy
+{
+public:
+ void
+ checkPolicy(const Data& data, const shared_ptr<ValidationState>& state,
+ const ValidationContinuation& continueValidation) final
+ {
+ continueValidation(nullptr, state);
+ }
+
+ void
+ checkPolicy(const Interest& interest, const shared_ptr<ValidationState>& state,
+ const ValidationContinuation& continueValidation) final
+ {
+ continueValidation(nullptr, state);
+ }
+};
+
+} // namespace v2
+} // namespace security
+} // namespace ndn
+
+#endif // NDN_SECURITY_V2_VALIDATION_POLICY_ACCEPT_ALL_HPP
diff --git a/src/security/v2/validation-policy-simple-hierarchy.cpp b/src/security/v2/validation-policy-simple-hierarchy.cpp
new file mode 100644
index 0000000..ee1ad94
--- /dev/null
+++ b/src/security/v2/validation-policy-simple-hierarchy.cpp
@@ -0,0 +1,78 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
+/**
+ * Copyright (c) 2013-2017 Regents of the University of California.
+ *
+ * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
+ *
+ * ndn-cxx library is free software: you can redistribute it and/or modify it under the
+ * terms of the GNU Lesser General Public License as published by the Free Software
+ * Foundation, either version 3 of the License, or (at your option) any later version.
+ *
+ * ndn-cxx library is distributed in the hope that it will be useful, but WITHOUT ANY
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+ * PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
+ *
+ * You should have received copies of the GNU General Public License and GNU Lesser
+ * General Public License along with ndn-cxx, e.g., in COPYING.md file. If not, see
+ * <http://www.gnu.org/licenses/>.
+ *
+ * See AUTHORS.md for complete list of ndn-cxx authors and contributors.
+ */
+
+#include "validation-policy-simple-hierarchy.hpp"
+
+namespace ndn {
+namespace security {
+namespace v2 {
+
+void
+ValidationPolicySimpleHierarchy::checkPolicy(const Data& data, const shared_ptr<ValidationState>& state,
+ const ValidationContinuation& continueValidation)
+{
+ if (!data.getSignature().hasKeyLocator()) {
+ return state->fail({ValidationError::Code::INVALID_KEY_LOCATOR, "Required key locator is missing"});
+ }
+ const KeyLocator& locator = data.getSignature().getKeyLocator();
+ if (locator.getType() != KeyLocator::KeyLocator_Name) {
+ return state->fail({ValidationError::Code::INVALID_KEY_LOCATOR, "Key locator not Name"});
+ }
+ if (locator.getName().getPrefix(-2).isPrefixOf(data.getName())) {
+ continueValidation(make_shared<CertificateRequest>(Interest(locator.getName())), state);
+ }
+ else {
+ state->fail({ValidationError::Code::INVALID_KEY_LOCATOR, "Data signing policy violation for " +
+ data.getName().toUri() + " by " + locator.getName().toUri()});
+ }
+}
+
+void
+ValidationPolicySimpleHierarchy::checkPolicy(const Interest& interest, const shared_ptr<ValidationState>& state,
+ const ValidationContinuation& continueValidation)
+{
+ SignatureInfo info;
+ try {
+ info.wireDecode(interest.getName().at(signed_interest::POS_SIG_INFO).blockFromValue());
+ }
+ catch (const tlv::Error& e) {
+ return state->fail({ValidationError::Code::INVALID_KEY_LOCATOR, "Invalid signed interest (" +
+ std::string(e.what()) + ")"});
+ }
+ if (!info.hasKeyLocator()) {
+ return state->fail({ValidationError::Code::INVALID_KEY_LOCATOR, "Required key locator is missing"});
+ }
+ const KeyLocator& locator = info.getKeyLocator();
+ if (locator.getType() != KeyLocator::KeyLocator_Name) {
+ return state->fail({ValidationError::Code::INVALID_KEY_LOCATOR, "Key locator not Name"});
+ }
+ if (locator.getName().getPrefix(-2).isPrefixOf(interest.getName())) {
+ continueValidation(make_shared<CertificateRequest>(Interest(locator.getName())), state);
+ }
+ else {
+ state->fail({ValidationError::Code::INVALID_KEY_LOCATOR, "Interest signing policy violation for " +
+ interest.getName().toUri() + " by " + locator.getName().toUri()});
+ }
+}
+
+} // namespace v2
+} // namespace security
+} // namespace ndn
diff --git a/src/security/v2/validation-policy-simple-hierarchy.hpp b/src/security/v2/validation-policy-simple-hierarchy.hpp
new file mode 100644
index 0000000..ac08c8a
--- /dev/null
+++ b/src/security/v2/validation-policy-simple-hierarchy.hpp
@@ -0,0 +1,50 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
+/**
+ * Copyright (c) 2013-2017 Regents of the University of California.
+ *
+ * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
+ *
+ * ndn-cxx library is free software: you can redistribute it and/or modify it under the
+ * terms of the GNU Lesser General Public License as published by the Free Software
+ * Foundation, either version 3 of the License, or (at your option) any later version.
+ *
+ * ndn-cxx library is distributed in the hope that it will be useful, but WITHOUT ANY
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+ * PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
+ *
+ * You should have received copies of the GNU General Public License and GNU Lesser
+ * General Public License along with ndn-cxx, e.g., in COPYING.md file. If not, see
+ * <http://www.gnu.org/licenses/>.
+ *
+ * See AUTHORS.md for complete list of ndn-cxx authors and contributors.
+ */
+
+#ifndef NDN_SECURITY_V2_VALIDATION_POLICY_SIMPLE_HIERARCHY_HPP
+#define NDN_SECURITY_V2_VALIDATION_POLICY_SIMPLE_HIERARCHY_HPP
+
+#include "validation-policy.hpp"
+
+namespace ndn {
+namespace security {
+namespace v2 {
+
+/**
+ * @brief Validation policy for a simple hierarchical trust model
+ */
+class ValidationPolicySimpleHierarchy : public ValidationPolicy
+{
+public:
+ void
+ checkPolicy(const Data& data, const shared_ptr<ValidationState>& state,
+ const ValidationContinuation& continueValidation) override;
+
+ void
+ checkPolicy(const Interest& interest, const shared_ptr<ValidationState>& state,
+ const ValidationContinuation& continueValidation) override;
+};
+
+} // namespace v2
+} // namespace security
+} // namespace ndn
+
+#endif // NDN_SECURITY_V2_VALIDATION_POLICY_SIMPLE_HIERARCHY_HPP
diff --git a/src/security/v2/validation-policy.hpp b/src/security/v2/validation-policy.hpp
new file mode 100644
index 0000000..7d85803
--- /dev/null
+++ b/src/security/v2/validation-policy.hpp
@@ -0,0 +1,110 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
+/**
+ * Copyright (c) 2013-2017 Regents of the University of California.
+ *
+ * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
+ *
+ * ndn-cxx library is free software: you can redistribute it and/or modify it under the
+ * terms of the GNU Lesser General Public License as published by the Free Software
+ * Foundation, either version 3 of the License, or (at your option) any later version.
+ *
+ * ndn-cxx library is distributed in the hope that it will be useful, but WITHOUT ANY
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+ * PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
+ *
+ * You should have received copies of the GNU General Public License and GNU Lesser
+ * General Public License along with ndn-cxx, e.g., in COPYING.md file. If not, see
+ * <http://www.gnu.org/licenses/>.
+ *
+ * See AUTHORS.md for complete list of ndn-cxx authors and contributors.
+ */
+
+#ifndef NDN_SECURITY_V2_VALIDATION_POLICY_HPP
+#define NDN_SECURITY_V2_VALIDATION_POLICY_HPP
+
+#include "validation-state.hpp"
+#include "certificate-request.hpp"
+#include "../../data.hpp"
+#include "../../interest.hpp"
+
+namespace ndn {
+namespace security {
+namespace v2 {
+
+/**
+ * @brief Abstraction that implements validation policy for Data and Interest packets
+ */
+class ValidationPolicy : noncopyable
+{
+public:
+ using ValidationContinuation = std::function<void(const shared_ptr<CertificateRequest>& certRequest,
+ const shared_ptr<ValidationState>& state)>;
+
+ virtual
+ ~ValidationPolicy() = default;
+
+ /**
+ * @brief Check @p data against the policy
+ *
+ * Depending on implementation of the policy, this check can be done synchronously or
+ * asynchronously.
+ *
+ * Semantics of checkPolicy has changed from v1::Validator
+ * - If packet violates policy, the policy should call `state->fail` with appropriate error
+ * code and error description.
+ * - If packet conforms to the policy and no further key retrievals are necessary,
+ * the policy should call continueValidation(state, nullptr)
+ * - If packet conforms to the policy and a key needs to be fetched, the policy should call
+ * continueValidation(state, <appropriate-key-request-instance>)
+ */
+ virtual void
+ checkPolicy(const Data& data, const shared_ptr<ValidationState>& state,
+ const ValidationContinuation& continueValidation) = 0;
+
+ /**
+ * @brief Check @p interest against the policy
+ *
+ * Depending on implementation of the policy, this check can be done synchronously or
+ * asynchronously.
+ *
+ * Semantics of checkPolicy has changed from v1::Validator
+ * - If packet violates policy, the policy should call `state->fail` with appropriate error
+ * code and error description.
+ * - If packet conforms to the policy and no further key retrievals are necessary,
+ * the policy should call continueValidation(state, nullptr)
+ * - If packet conforms to the policy and a key needs to be fetched, the policy should call
+ * continueValidation(state, <appropriate-key-request-instance>)
+ */
+ virtual void
+ checkPolicy(const Interest& interest, const shared_ptr<ValidationState>& state,
+ const ValidationContinuation& continueValidation) = 0;
+
+ /**
+ * @brief Check @p certificate against the policy
+ *
+ * Unless overridden by the policy, this check defaults to `checkPolicy(const Data&, ...)`.
+ *
+ * Depending on implementation of the policy, this check can be done synchronously or
+ * asynchronously.
+ *
+ * Semantics of checkPolicy has changed from v1::Validator
+ * - If packet violates policy, the policy should call `state->fail` with appropriate error
+ * code and error description.
+ * - If packet conforms to the policy and no further key retrievals are necessary,
+ * the policy should call continueValidation(state, nullptr)
+ * - If packet conforms to the policy and a key needs to be fetched, the policy should call
+ * continueValidation(state, <appropriate-key-request-instance>)
+ */
+ virtual void
+ checkPolicy(const Certificate& certificate, const shared_ptr<ValidationState>& state,
+ const ValidationContinuation& continueValidation)
+ {
+ checkPolicy(static_cast<const Data&>(certificate), state, continueValidation);
+ }
+};
+
+} // namespace v2
+} // namespace security
+} // namespace ndn
+
+#endif // NDN_SECURITY_V2_VALIDATION_POLICY_HPP
diff --git a/src/security/v2/validation-state.cpp b/src/security/v2/validation-state.cpp
new file mode 100644
index 0000000..269ef2d
--- /dev/null
+++ b/src/security/v2/validation-state.cpp
@@ -0,0 +1,208 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
+/**
+ * Copyright (c) 2013-2017 Regents of the University of California.
+ *
+ * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
+ *
+ * ndn-cxx library is free software: you can redistribute it and/or modify it under the
+ * terms of the GNU Lesser General Public License as published by the Free Software
+ * Foundation, either version 3 of the License, or (at your option) any later version.
+ *
+ * ndn-cxx library is distributed in the hope that it will be useful, but WITHOUT ANY
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+ * PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
+ *
+ * You should have received copies of the GNU General Public License and GNU Lesser
+ * General Public License along with ndn-cxx, e.g., in COPYING.md file. If not, see
+ * <http://www.gnu.org/licenses/>.
+ *
+ * See AUTHORS.md for complete list of ndn-cxx authors and contributors.
+ */
+
+#include "validation-state.hpp"
+#include "validator.hpp"
+#include "../verification-helpers.hpp"
+#include "util/logger.hpp"
+
+namespace ndn {
+namespace security {
+namespace v2 {
+
+NDN_LOG_INIT(ndn.security.v2.ValidationState);
+
+#define NDN_LOG_DEBUG_DEPTH(x) NDN_LOG_DEBUG(std::string(this->getDepth() + 1, '>') << " " << x)
+#define NDN_LOG_TRACE_DEPTH(x) NDN_LOG_TRACE(std::string(this->getDepth() + 1, '>') << " " << x)
+
+ValidationState::ValidationState()
+ : m_hasOutcome(false)
+{
+}
+
+ValidationState::~ValidationState()
+{
+ NDN_LOG_TRACE(__func__);
+ BOOST_ASSERT(m_hasOutcome);
+}
+
+size_t
+ValidationState::getDepth() const
+{
+ return m_certificateChain.size();
+}
+
+bool
+ValidationState::hasSeenCertificateName(const Name& certName)
+{
+ return !m_seenCertificateNames.insert(certName).second;
+}
+
+void
+ValidationState::addCertificate(const Certificate& cert)
+{
+ m_certificateChain.push_front(cert);
+}
+
+const Certificate*
+ValidationState::verifyCertificateChain(const Certificate& trustedCert)
+{
+ const Certificate* validatedCert = &trustedCert;
+ for (auto it = m_certificateChain.begin(); it != m_certificateChain.end(); ++it) {
+ const auto& certToValidate = *it;
+
+ if (!verifySignature(certToValidate, *validatedCert)) {
+ this->fail({ValidationError::Code::INVALID_SIGNATURE, "Invalid signature of certificate `" +
+ certToValidate.getName().toUri() + "`"});
+ m_certificateChain.erase(it, m_certificateChain.end());
+ return nullptr;
+ }
+ else {
+ NDN_LOG_TRACE_DEPTH("OK signature for certificate `" << certToValidate.getName() << "`");
+ validatedCert = &certToValidate;
+ }
+ }
+ return validatedCert;
+}
+
+/////// DataValidationState
+
+DataValidationState::DataValidationState(const Data& data,
+ const DataValidationSuccessCallback& successCb,
+ const DataValidationFailureCallback& failureCb)
+ : m_data(data)
+ , m_successCb(successCb)
+ , m_failureCb(failureCb)
+{
+ BOOST_ASSERT(m_successCb != nullptr);
+ BOOST_ASSERT(m_failureCb != nullptr);
+}
+
+DataValidationState::~DataValidationState()
+{
+ if (!m_hasOutcome) {
+ this->fail({ValidationError::Code::IMPLEMENTATION_ERROR,
+ "Validator/policy did not invoke success or failure callback"});
+ }
+}
+
+void
+DataValidationState::verifyOriginalPacket(const Certificate& trustedCert)
+{
+ if (verifySignature(m_data, trustedCert)) {
+ NDN_LOG_TRACE_DEPTH("OK signature for data `" << m_data.getName() << "`");
+ m_successCb(m_data);
+ BOOST_ASSERT(!m_hasOutcome);
+ m_hasOutcome = true;
+ }
+ else {
+ this->fail({ValidationError::Code::INVALID_SIGNATURE, "Invalid signature of data `" +
+ m_data.getName().toUri() + "`"});
+ }
+}
+
+void
+DataValidationState::bypassValidation()
+{
+ NDN_LOG_TRACE_DEPTH("Signature verification bypassed for data `" << m_data.getName() << "`");
+ m_successCb(m_data);
+ BOOST_ASSERT(!m_hasOutcome);
+ m_hasOutcome = true;
+}
+
+void
+DataValidationState::fail(const ValidationError& error)
+{
+ NDN_LOG_DEBUG_DEPTH(error);
+ m_failureCb(m_data, error);
+ BOOST_ASSERT(!m_hasOutcome);
+ m_hasOutcome = true;
+}
+
+const Data&
+DataValidationState::getOriginalData() const
+{
+ return m_data;
+}
+
+/////// InterestValidationState
+
+InterestValidationState::InterestValidationState(const Interest& interest,
+ const InterestValidationSuccessCallback& successCb,
+ const InterestValidationFailureCallback& failureCb)
+ : m_interest(interest)
+ , m_successCb(successCb)
+ , m_failureCb(failureCb)
+{
+ BOOST_ASSERT(m_successCb != nullptr);
+ BOOST_ASSERT(m_failureCb != nullptr);
+}
+
+InterestValidationState::~InterestValidationState()
+{
+ if (!m_hasOutcome) {
+ this->fail({ValidationError::Code::IMPLEMENTATION_ERROR,
+ "Validator/policy did not invoke success or failure callback"});
+ }
+}
+
+void
+InterestValidationState::verifyOriginalPacket(const Certificate& trustedCert)
+{
+ if (verifySignature(m_interest, trustedCert)) {
+ NDN_LOG_TRACE_DEPTH("OK signature for interest `" << m_interest.getName() << "`");
+ m_successCb(m_interest);
+ BOOST_ASSERT(!m_hasOutcome);
+ m_hasOutcome = true;
+ }
+ else {
+ this->fail({ValidationError::Code::INVALID_SIGNATURE, "Invalid signature of interest `" +
+ m_interest.getName().toUri() + "`"});
+ }
+}
+
+void
+InterestValidationState::bypassValidation()
+{
+ NDN_LOG_TRACE_DEPTH("Signature verification bypassed for interest `" << m_interest.getName() << "`");
+ m_successCb(m_interest);
+ BOOST_ASSERT(!m_hasOutcome);
+ m_hasOutcome = true;
+}
+
+void
+InterestValidationState::fail(const ValidationError& error)
+{
+ NDN_LOG_DEBUG_DEPTH(error);
+ m_failureCb(m_interest, error);
+ BOOST_ASSERT(!m_hasOutcome);
+ m_hasOutcome = true;
+}
+
+const Interest&
+InterestValidationState::getOriginalInterest() const
+{
+ return m_interest;
+}
+
+} // namespace v2
+} // namespace security
+} // namespace ndn
diff --git a/src/security/v2/validation-state.hpp b/src/security/v2/validation-state.hpp
new file mode 100644
index 0000000..2181fae
--- /dev/null
+++ b/src/security/v2/validation-state.hpp
@@ -0,0 +1,243 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
+/**
+ * Copyright (c) 2013-2017 Regents of the University of California.
+ *
+ * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
+ *
+ * ndn-cxx library is free software: you can redistribute it and/or modify it under the
+ * terms of the GNU Lesser General Public License as published by the Free Software
+ * Foundation, either version 3 of the License, or (at your option) any later version.
+ *
+ * ndn-cxx library is distributed in the hope that it will be useful, but WITHOUT ANY
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+ * PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
+ *
+ * You should have received copies of the GNU General Public License and GNU Lesser
+ * General Public License along with ndn-cxx, e.g., in COPYING.md file. If not, see
+ * <http://www.gnu.org/licenses/>.
+ *
+ * See AUTHORS.md for complete list of ndn-cxx authors and contributors.
+ */
+
+#ifndef NDN_SECURITY_V2_VALIDATION_STATE_HPP
+#define NDN_SECURITY_V2_VALIDATION_STATE_HPP
+
+#include "../../tag-host.hpp"
+#include "validation-callback.hpp"
+#include "certificate.hpp"
+
+#include <unordered_set>
+#include <list>
+
+namespace ndn {
+namespace security {
+namespace v2 {
+
+class Validator;
+
+/**
+ * @brief Validation state
+ *
+ * One instance of the validation state is kept for the validation of the whole certificate
+ * chain.
+ *
+ * The state collects the certificate chain that adheres to the selected validation policy to
+ * validate data or interest packets. Certificate, data, and interest packet signatures are
+ * verified only after the validator determines that the chain terminates with a trusted
+ * certificate (a trusted anchor or a previously validated certificate). This model allows
+ * filtering out invalid certificate chains without incurring (costly) cryptographic signature
+ * verification overhead and mitigates some forms of denial-of-service attacks.
+ *
+ * Validation policy and/or key fetcher may add custom information associated with the
+ * validation state using tags (@sa TagHost)
+ *
+ * @sa DataValidationState, InterestValidationState
+ */
+class ValidationState : public TagHost, noncopyable
+{
+public:
+ /**
+ * @brief Create validation state
+ */
+ ValidationState();
+
+ virtual
+ ~ValidationState();
+
+ /**
+ * @brief Call the failure callback
+ */
+ virtual void
+ fail(const ValidationError& error) = 0;
+
+ /**
+ * @return Depth of certificate chain
+ */
+ size_t
+ getDepth() const;
+
+ /**
+ * @brief Check if @p certName has been previously seen and record the supplied name
+ */
+ bool
+ hasSeenCertificateName(const Name& certName);
+
+ /**
+ * @brief Add @p cert to the top of the certificate chain
+ *
+ * If m_certificateChain is empty, @p cert should be the signer of the original
+ * packet. If m_certificateChain is not empty, @p cert should be the signer of
+ * m_certificateChain.front().
+ *
+ * @post m_certificateChain.front() == cert
+ * @note This function does not verify the signature bits.
+ */
+ void
+ addCertificate(const Certificate& cert);
+
+private: // Interface intended to be used only by Validator class
+ /**
+ * @brief Verify signature of the original packet
+ *
+ * @param trustCert The certificate that signs the original packet
+ */
+ virtual void
+ verifyOriginalPacket(const Certificate& trustedCert) = 0;
+
+ /**
+ * @brief Call success callback of the original packet without signature validation
+ */
+ virtual void
+ bypassValidation() = 0;
+
+ /**
+ * @brief Verify signatures of certificates in the certificate chain
+ *
+ * When certificate chain cannot be verified, this method will call this->fail() with
+ * INVALID_SIGNATURE error code and the appropriate diagnostic message.
+ *
+ * @retval nullptr Signatures of at least one certificate in the chain is invalid. All unverified
+ * certificates have been removed from m_certificateChain.
+ * @retval Certificate to validate original data packet, either m_certificateChain.back() or
+ * trustedCert if the certificate chain is empty.
+ *
+ * @post m_certificateChain includes a list of certificates successfully verified by
+ * @p trustedCert.
+ */
+ const Certificate*
+ verifyCertificateChain(const Certificate& trustedCert);
+
+protected:
+ bool m_hasOutcome;
+
+private:
+ std::unordered_set<Name> m_seenCertificateNames;
+
+ /**
+ * @brief the certificate chain
+ *
+ * Each certificate in the chain signs the next certificate. The last certificate signs the
+ * original packet.
+ */
+ std::list<v2::Certificate> m_certificateChain;
+
+ friend class Validator;
+};
+
+/**
+ * @brief Validation state for a data packet
+ */
+class DataValidationState final : public ValidationState
+{
+public:
+ /**
+ * @brief Create validation state for @p data
+ *
+ * The caller must ensure that state instance is valid until validation finishes (i.e., until
+ * after validateCertificateChain() and validateOriginalPacket() are called)
+ */
+ DataValidationState(const Data& data,
+ const DataValidationSuccessCallback& successCb,
+ const DataValidationFailureCallback& failureCb);
+
+ /**
+ * @brief Destructor
+ *
+ * If neither success callback nor failure callback was called, the destructor will call
+ * failure callback with IMPLEMENTATION_ERROR error code.
+ */
+ ~DataValidationState() final;
+
+ void
+ fail(const ValidationError& error) final;
+
+ /**
+ * @return Original data being validated
+ */
+ const Data&
+ getOriginalData() const;
+
+private:
+ void
+ verifyOriginalPacket(const Certificate& trustedCert) final;
+
+ void
+ bypassValidation() final;
+
+private:
+ Data m_data;
+ DataValidationSuccessCallback m_successCb;
+ DataValidationFailureCallback m_failureCb;
+};
+
+/**
+ * @brief Validation state for an interest packet
+ */
+class InterestValidationState final : public ValidationState
+{
+public:
+ /**
+ * @brief Create validation state for @p interest
+ *
+ * The caller must ensure that state instance is valid until validation finishes (i.e., until
+ * after validateCertificateChain() and validateOriginalPacket() are called)
+ */
+ InterestValidationState(const Interest& interest,
+ const InterestValidationSuccessCallback& successCb,
+ const InterestValidationFailureCallback& failureCb);
+
+ /**
+ * @brief Destructor
+ *
+ * If neither success callback nor failure callback was called, the destructor will call
+ * failure callback with IMPLEMENTATION_ERROR error code.
+ */
+ ~InterestValidationState() final;
+
+ void
+ fail(const ValidationError& error) final;
+
+ /**
+ * @return Original interest being validated
+ */
+ const Interest&
+ getOriginalInterest() const;
+
+private:
+ void
+ verifyOriginalPacket(const Certificate& trustedCert) final;
+
+ void
+ bypassValidation() final;
+
+private:
+ Interest m_interest;
+ InterestValidationSuccessCallback m_successCb;
+ InterestValidationFailureCallback m_failureCb;
+};
+
+} // namespace v2
+} // namespace security
+} // namespace ndn
+
+#endif // NDN_SECURITY_V2_VALIDATION_STATE_HPP
diff --git a/src/security/v2/validator.cpp b/src/security/v2/validator.cpp
new file mode 100644
index 0000000..b18fc75
--- /dev/null
+++ b/src/security/v2/validator.cpp
@@ -0,0 +1,320 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
+/**
+ * Copyright (c) 2013-2017 Regents of the University of California.
+ *
+ * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
+ *
+ * ndn-cxx library is free software: you can redistribute it and/or modify it under the
+ * terms of the GNU Lesser General Public License as published by the Free Software
+ * Foundation, either version 3 of the License, or (at your option) any later version.
+ *
+ * ndn-cxx library is distributed in the hope that it will be useful, but WITHOUT ANY
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+ * PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
+ *
+ * You should have received copies of the GNU General Public License and GNU Lesser
+ * General Public License along with ndn-cxx, e.g., in COPYING.md file. If not, see
+ * <http://www.gnu.org/licenses/>.
+ *
+ * See AUTHORS.md for complete list of ndn-cxx authors and contributors.
+ */
+
+#include "validator.hpp"
+
+#include "face.hpp"
+#include "security/transform/public-key.hpp"
+#include "util/logger.hpp"
+
+namespace ndn {
+namespace security {
+namespace v2 {
+
+NDN_LOG_INIT(ndn.security.v2.Validator);
+
+#define NDN_LOG_DEBUG_DEPTH(x) NDN_LOG_DEBUG(std::string(state->getDepth() + 1, '>') << " " << x)
+#define NDN_LOG_TRACE_DEPTH(x) NDN_LOG_TRACE(std::string(state->getDepth() + 1, '>') << " " << x)
+
+Validator::Validator(unique_ptr<ValidationPolicy> policy, Face* face)
+ : m_policy(std::move(policy))
+ , m_face(face)
+ , m_verifiedCertificateCache(time::hours(1))
+ , m_unverifiedCertificateCache(time::minutes(5))
+ , m_maxDepth(25)
+{
+}
+
+Validator::~Validator() = default;
+
+void
+Validator::setMaxDepth(size_t depth)
+{
+ m_maxDepth = depth;
+}
+
+size_t
+Validator::getMaxDepth() const
+{
+ return m_maxDepth;
+}
+
+void
+Validator::validate(const Data& data,
+ const DataValidationSuccessCallback& successCb,
+ const DataValidationFailureCallback& failureCb)
+{
+ auto state = make_shared<DataValidationState>(data, successCb, failureCb);
+ NDN_LOG_DEBUG_DEPTH("Start validating data " << data.getName());
+
+ m_policy->checkPolicy(data, state,
+ [this] (const shared_ptr<CertificateRequest>& certRequest, const shared_ptr<ValidationState>& state) {
+ if (certRequest == nullptr) {
+ state->bypassValidation();
+ }
+ else {
+ // need to fetch key and validate it
+ requestCertificate(certRequest, state);
+ }
+ });
+}
+
+void
+Validator::validate(const Interest& interest,
+ const InterestValidationSuccessCallback& successCb,
+ const InterestValidationFailureCallback& failureCb)
+{
+ auto state = make_shared<InterestValidationState>(interest, successCb, failureCb);
+ NDN_LOG_DEBUG_DEPTH("Start validating interest " << interest.getName());
+
+ m_policy->checkPolicy(interest, state,
+ [this] (const shared_ptr<CertificateRequest>& certRequest, const shared_ptr<ValidationState>& state) {
+ if (certRequest == nullptr) {
+ state->bypassValidation();
+ }
+ else {
+ // need to fetch key and validate it
+ requestCertificate(certRequest, state);
+ }
+ });
+}
+
+void
+Validator::validate(const Certificate& cert, const shared_ptr<ValidationState>& state)
+{
+ NDN_LOG_DEBUG_DEPTH("Start validating certificate " << cert.getName());
+ m_policy->checkPolicy(cert, state,
+ [this, cert] (const shared_ptr<CertificateRequest>& certRequest, const shared_ptr<ValidationState>& state) {
+ if (certRequest == nullptr) {
+ state->fail({ValidationError::POLICY_ERROR, "Validation policy is not allowed to designate `" +
+ cert.getName().toUri() + "` as a trust anchor"});
+ }
+ else {
+ // need to fetch key and validate it
+ state->addCertificate(cert);
+ requestCertificate(certRequest, state);
+ }
+ });
+}
+
+const Certificate*
+Validator::findTrustedCert(const Interest& interestForCertificate, const shared_ptr<ValidationState>& state)
+{
+ auto anchor = m_trustAnchors.find(interestForCertificate);
+ if (anchor != nullptr) {
+ NDN_LOG_TRACE_DEPTH("Found certificate in anchor cache " << anchor->getName());
+ return anchor;
+ }
+
+ auto key = m_verifiedCertificateCache.find(interestForCertificate);
+ if (key != nullptr) {
+ NDN_LOG_TRACE_DEPTH("Found certificate in verified key cache " << key->getName());
+ return key;
+ }
+ return nullptr;
+}
+
+void
+Validator::requestCertificate(const shared_ptr<CertificateRequest>& certRequest,
+ const shared_ptr<ValidationState>& state)
+{
+ // TODO configurable check for the maximum number of steps
+ if (state->getDepth() >= m_maxDepth) {
+ state->fail({ValidationError::Code::EXCEEDED_DEPTH_LIMIT,
+ "Exceeded validation depth limit (" + to_string(m_maxDepth) + ")"});
+ return;
+ }
+
+ NDN_LOG_DEBUG_DEPTH("Retrieving " << certRequest->m_interest.getName());
+
+ // Check the trusted cache
+ auto cert = findTrustedCert(certRequest->m_interest, state);
+ if (cert != nullptr) {
+ cert = state->verifyCertificateChain(*cert);
+ if (cert != nullptr) {
+ state->verifyOriginalPacket(*cert);
+ }
+ for (auto trustedCert = std::make_move_iterator(state->m_certificateChain.begin());
+ trustedCert != std::make_move_iterator(state->m_certificateChain.end());
+ ++trustedCert) {
+ cacheVerifiedCertificate(*trustedCert);
+ }
+ return;
+ }
+
+ if (state->hasSeenCertificateName(certRequest->m_interest.getName())) {
+ state->fail({ValidationError::Code::LOOP_DETECTED,
+ "Loop detected at " + certRequest->m_interest.getName().toUri()});
+ return;
+ }
+
+ // Check untrusted cache
+ cert = m_unverifiedCertificateCache.find(certRequest->m_interest);
+ if (cert != nullptr) {
+ NDN_LOG_DEBUG_DEPTH("Found certificate in **un**verified key cache " << cert->getName());
+ return dataCallback(*cert, certRequest, state, false); // to avoid caching the cached key
+ }
+
+ // Attempt to retrieve certificate from the network
+ fetchCertificateFromNetwork(certRequest, state);
+}
+
+void
+Validator::fetchCertificateFromNetwork(const shared_ptr<CertificateRequest>& certRequest,
+ const shared_ptr<ValidationState>& state)
+{
+ if (m_face == nullptr) {
+ state->fail({ValidationError::Code::CANNOT_RETRIEVE_CERT, "Cannot fetch certificate in offline mode "
+ "`" + certRequest->m_interest.getName().toUri() + "`"});
+ return;
+ }
+
+ m_face->expressInterest(certRequest->m_interest,
+ [=] (const Interest& interest, const Data& data) {
+ dataCallback(data, certRequest, state);
+ },
+ [=] (const Interest& interest, const lp::Nack& nack) {
+ nackCallback(nack, certRequest, state);
+ },
+ [=] (const Interest& interest) {
+ timeoutCallback(certRequest, state);
+ });
+}
+
+void
+Validator::dataCallback(const Data& data,
+ const shared_ptr<CertificateRequest>& certRequest,
+ const shared_ptr<ValidationState>& state,
+ bool isFromNetwork)
+{
+ NDN_LOG_DEBUG_DEPTH("Retrieved certificate " << (isFromNetwork ? "from network " : "from cache ") << data.getName());
+
+ Certificate cert;
+ try {
+ cert = Certificate(data);
+ }
+ catch (const tlv::Error& e) {
+ return state->fail({ValidationError::Code::MALFORMED_CERT, "Retrieved a malformed certificate "
+ "`" + data.getName().toUri() + "` (" + e.what() + ")"});
+ }
+
+ if (!cert.isValid()) {
+ return state->fail({ValidationError::Code::EXPIRED_CERT, "Retrieved certificate is not yet "
+ "valid or has expired `" + cert.getName().toUri() + "`"});
+ }
+ if (isFromNetwork) {
+ cacheUnverifiedCertificate(Certificate(cert));
+ }
+ return validate(cert, state); // recursion step
+}
+
+void
+Validator::nackCallback(const lp::Nack& nack, const shared_ptr<CertificateRequest>& certRequest,
+ const shared_ptr<ValidationState>& state)
+{
+ NDN_LOG_DEBUG_DEPTH("NACK (" << nack.getReason() << ") while retrieving certificate "
+ << certRequest->m_interest.getName());
+
+ --certRequest->m_nRetriesLeft;
+ if (certRequest->m_nRetriesLeft > 0) {
+ // TODO implement delay for the the next fetch
+ fetchCertificateFromNetwork(certRequest, state);
+ }
+ else {
+ state->fail({ValidationError::Code::CANNOT_RETRIEVE_CERT, "Cannot fetch certificate after all "
+ "retries `" + certRequest->m_interest.getName().toUri() + "`"});
+ }
+}
+
+void
+Validator::timeoutCallback(const shared_ptr<CertificateRequest>& certRequest,
+ const shared_ptr<ValidationState>& state)
+{
+ NDN_LOG_DEBUG_DEPTH("Timeout while retrieving certificate "
+ << certRequest->m_interest.getName() << ", retrying");
+
+ --certRequest->m_nRetriesLeft;
+ if (certRequest->m_nRetriesLeft > 0) {
+ fetchCertificateFromNetwork(certRequest, state);
+ }
+ else {
+ state->fail({ValidationError::Code::CANNOT_RETRIEVE_CERT, "Cannot fetch certificate after all "
+ "retries `" + certRequest->m_interest.getName().toUri() + "`"});
+ }
+}
+
+////////////////////////////////////////////////////////////////////////
+// Trust anchor management
+////////////////////////////////////////////////////////////////////////
+
+void
+Validator::loadAnchor(const std::string& groupId, Certificate&& cert)
+{
+ m_trustAnchors.insert(groupId, std::move(cert));
+}
+
+void
+Validator::loadAnchor(const std::string& groupId, const std::string& certfilePath,
+ time::nanoseconds refreshPeriod, bool isDir)
+{
+ m_trustAnchors.insert(groupId, certfilePath, refreshPeriod, isDir);
+}
+
+void
+Validator::cacheVerifiedCertificate(Certificate&& cert)
+{
+ m_verifiedCertificateCache.insert(std::move(cert));
+}
+
+void
+Validator::cacheUnverifiedCertificate(Certificate&& cert)
+{
+ m_unverifiedCertificateCache.insert(std::move(cert));
+}
+
+const TrustAnchorContainer&
+Validator::getTrustAnchors() const
+{
+ return m_trustAnchors;
+}
+
+const CertificateCache&
+Validator::getVerifiedCertificateCache() const
+{
+ return m_verifiedCertificateCache;
+}
+
+const CertificateCache&
+Validator::getUnverifiedCertificateCache() const
+{
+ return m_unverifiedCertificateCache;
+}
+
+bool
+Validator::isCertificateCached(const Name& certName) const
+{
+ return (getVerifiedCertificateCache().find(certName) != nullptr ||
+ getVerifiedCertificateCache().find(certName) != nullptr);
+}
+
+} // namespace v2
+} // namespace security
+} // namespace ndn
diff --git a/src/security/v2/validator.hpp b/src/security/v2/validator.hpp
new file mode 100644
index 0000000..c17ce82
--- /dev/null
+++ b/src/security/v2/validator.hpp
@@ -0,0 +1,276 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
+/**
+ * Copyright (c) 2013-2017 Regents of the University of California.
+ *
+ * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
+ *
+ * ndn-cxx library is free software: you can redistribute it and/or modify it under the
+ * terms of the GNU Lesser General Public License as published by the Free Software
+ * Foundation, either version 3 of the License, or (at your option) any later version.
+ *
+ * ndn-cxx library is distributed in the hope that it will be useful, but WITHOUT ANY
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+ * PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
+ *
+ * You should have received copies of the GNU General Public License and GNU Lesser
+ * General Public License along with ndn-cxx, e.g., in COPYING.md file. If not, see
+ * <http://www.gnu.org/licenses/>.
+ *
+ * See AUTHORS.md for complete list of ndn-cxx authors and contributors.
+ */
+
+#ifndef NDN_SECURITY_V2_VALIDATOR_HPP
+#define NDN_SECURITY_V2_VALIDATOR_HPP
+
+#include "certificate.hpp"
+#include "certificate-cache.hpp"
+#include "certificate-request.hpp"
+#include "trust-anchor-container.hpp"
+#include "validation-callback.hpp"
+#include "validation-policy.hpp"
+#include "validation-state.hpp"
+
+namespace ndn {
+
+class Face;
+
+namespace lp {
+class Nack;
+} // namespace lp
+
+namespace security {
+namespace v2 {
+
+/**
+ * @brief Interface for validating data and interest packets.
+ *
+ * Every time a validation process initiated, it creates a ValidationState that exist until
+ * validation finishes with either success or failure. This state serves several purposes:
+ * - record Interest or Data packet being validated
+ * - record failure callback
+ * - record certificates in the certification chain for the Interest or Data packet being validated
+ * - record names of the requested certificates to detect loops in the certificate chain
+ * - keep track of the validation chain size (aka validation "depth")
+ *
+ * During validation, policy can augment validation state with policy- and fetcher-specific
+ * information using ndn::Tag's.
+ *
+ * A validator has a trust anchor cache to save static and dynamic trust anchors, a verified
+ * certificate cache for saving certificates that are already verified and an unverified
+ * certificate cache for saving prefetched but not yet verified certificates.
+ *
+ * @todo Limit the maximum time the validation process is allowed to run before declaring failure
+ * @todo Ability to customize maximum lifetime for trusted and untrusted certificate caches.
+ * Current implementation hard-codes them to be 1 hour and 5 minutes.
+ */
+class Validator : noncopyable
+{
+public:
+ /**
+ * @brief Validator constructor.
+ *
+ * @param policy Validation policy to be associated with the validator
+ * @param face Face for fetching certificates from network. If provided, the Validator
+ * operates in online mode; otherwise, the Validator operates in offline mode.
+ */
+ explicit
+ Validator(unique_ptr<ValidationPolicy> policy, Face* face = nullptr);
+
+ ~Validator();
+
+ /**
+ * @brief Set the maximum depth of the certificate chain
+ */
+ void
+ setMaxDepth(size_t depth);
+
+ /**
+ * @return The maximum depth of the certificate chain
+ */
+ size_t
+ getMaxDepth() const;
+
+ /**
+ * @brief Asynchronously validate @p data
+ *
+ * @note @p successCb and @p failureCb must not be nullptr
+ */
+ void
+ validate(const Data& data,
+ const DataValidationSuccessCallback& successCb,
+ const DataValidationFailureCallback& failureCb);
+
+ /**
+ * @brief Asynchronously validate @p interest
+ *
+ * @note @p successCb and @p failureCb must not be nullptr
+ */
+ void
+ validate(const Interest& interest,
+ const InterestValidationSuccessCallback& successCb,
+ const InterestValidationFailureCallback& failureCb);
+
+public: // anchor management
+ /**
+ * @brief load static trust anchor.
+ *
+ * Static trust anchors are permanently associated with the validator and never expire.
+ *
+ * @param groupId Certificate group id.
+ * @param cert Certificate to load as a trust anchor.
+ */
+ void
+ loadAnchor(const std::string& groupId, Certificate&& cert);
+
+ /**
+ * @brief load dynamic trust anchors.
+ *
+ * Dynamic trust anchors are associated with the validator for as long as the underlying
+ * trust anchor file (set of files) exist(s).
+ *
+ * @param groupId Certificate group id, must not be empty.
+ * @param certfilePath Specifies the path to load the trust anchors.
+ * @param refreshPeriod Refresh period for the trust anchors, must be positive.
+ * @param isDir Tells whether the path is a directory or a single file.
+ */
+ void
+ loadAnchor(const std::string& groupId, const std::string& certfilePath,
+ time::nanoseconds refreshPeriod, bool isDir = false);
+
+ /**
+ * @brief Cache verified @p cert a period of time (1 hour)
+ *
+ * @todo Add ability to customize time period
+ */
+ void
+ cacheVerifiedCertificate(Certificate&& cert);
+
+ /**
+ * @brief Cache unverified @p cert for a period of time (5 minutes)
+ *
+ * @todo Add ability to customize time period
+ */
+ void
+ cacheUnverifiedCertificate(Certificate&& cert);
+
+ /**
+ * @return Trust anchor container
+ */
+ const TrustAnchorContainer&
+ getTrustAnchors() const;
+
+ /**
+ * @return Verified certificate cache
+ */
+ const CertificateCache&
+ getVerifiedCertificateCache() const;
+
+ /**
+ * @return Unverified certificate cache
+ */
+ const CertificateCache&
+ getUnverifiedCertificateCache() const;
+
+ /**
+ * @brief Check if certificate with @p certName exists in verified or unverified cache
+ */
+ bool
+ isCertificateCached(const Name& certName) const;
+
+private: // Common validator operations
+ /**
+ * @brief Recursive validation of the certificate in the certification chain
+ *
+ * @param cert The certificate to check.
+ * @param state The current validation state.
+ */
+ void
+ validate(const Certificate& cert, const shared_ptr<ValidationState>& state);
+
+ /**
+ * @brief Request certificate for further validation.
+ *
+ * @param certRequest Certificate request.
+ * @param state The current validation state.
+ */
+ void
+ requestCertificate(const shared_ptr<CertificateRequest>& certRequest,
+ const shared_ptr<ValidationState>& state);
+
+ /**
+ * @brief Find trusted certificate among trust anchors and verified certificates.
+ *
+ * @param interestForCertificate Interest for certificate
+ * @param state The current validation state.
+ *
+ * @return found certificate, nullptr if not found.
+ *
+ * @note The returned pointer may get invalidated after next findTrustedCert call.
+ */
+ const Certificate*
+ findTrustedCert(const Interest& interestForCertificate,
+ const shared_ptr<ValidationState>& state);
+
+ /**
+ * @brief fetch certificate from network based on certificate request.
+ *
+ * @param certRequest Certificate request.
+ * @param state The current validation state.
+ */
+ void
+ fetchCertificateFromNetwork(const shared_ptr<CertificateRequest>& certRequest,
+ const shared_ptr<ValidationState>& state);
+
+ /**
+ * @brief Callback invoked when certificated is retrieved.
+ *
+ * @param data Retrieved certificate.
+ * @param certRequest Certificate request.
+ * @param state The current validation state.
+ * @param isFromNetwork Flag to indicate that the data packet is retrieved (to avoid re-caching).
+ */
+ void
+ dataCallback(const Data& data,
+ const shared_ptr<CertificateRequest>& certRequest,
+ const shared_ptr<ValidationState>& state,
+ bool isFromNetwork = true);
+
+ /**
+ * @brief Callback invoked when interest for fetching certificate gets NACKed.
+ *
+ * It will retry for pre-configured amount of retries.
+ *
+ * @param nack Received NACK
+ * @param certRequest Certificate request.
+ * @param state The current validation state.
+ */
+ void
+ nackCallback(const lp::Nack& nack, const shared_ptr<CertificateRequest>& certRequest,
+ const shared_ptr<ValidationState>& state);
+
+ /**
+ * @brief Callback invoked when interest for fetching certificate times out.
+ *
+ * It will retry for pre-configured amount of retries.
+ *
+ * @param certRequest Certificate request.
+ * @param state The current validation state.
+ */
+ void
+ timeoutCallback(const shared_ptr<CertificateRequest>& certRequest,
+ const shared_ptr<ValidationState>& state);
+
+private:
+ unique_ptr<ValidationPolicy> m_policy;
+ Face* m_face;
+ TrustAnchorContainer m_trustAnchors;
+ CertificateCache m_verifiedCertificateCache;
+ CertificateCache m_unverifiedCertificateCache;
+ size_t m_maxDepth;
+};
+
+} // namespace v2
+} // namespace security
+} // namespace ndn
+
+#endif // NDN_SECURITY_V2_VALIDATOR_HPP